On 26-Jan-2009, at 23:03, Tony Toews [MVP] wrote:
Ah, I think I see what is happening here. Searching at the below article for63.217.28.226http://tech.slashdot.org/tech/09/01/24/0113210.shtml shows a reply stating:"The problem seems to kick in for DNS servers that arent rejecting the queries.Someone is channeling ye 'ole smurfing methods.They're requesting a list of all DNS root servers. If the server don't reject the query, a 17 byte query becomes a 50k response (or something like that) to the spoofedaddress."
that's right. By configuring the DNS server to respond with REJECT to queries for which it isn't authoritative, you make it respond with a packet that's exactly the same size as the original query -- negating the amplification side of the attack. Once the attacker realizes nobody is amplifying, it makes the method unattractive, since it's more costly than other types (such as a simple ping flood).
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
